I bought a Western Digital 1TB Caviar Green hard drive. I want to store my files on it but also want to encrypt it so I've downloaded TrueCrypt. However TrueCrypt says that I can't encrypt the entire device as it has partitions - I can encrypt individual partitions though.

If I look in diskpart it only has one partition called Partition 1. I formatted it, still one partition. If I delete that partition in diskpart, then the disk becomes raw and I need to use Disk Management in Windows 7 to create a new simple volume before I can put things on the drive again.

Does an external hard drive need to have partitions? I think in this case it is one partition that takes up 100% of the space. However, doesn't that mean there will be an unencrypted partition table present when I encrypt the partition?

I wanted to be able to claim the drive is second hand and was securely erased if stopped by customs; having a partition table makes that seem less... plausible.

How are you connecting this drive (USB/eSATA)? Did you put it in an external enclosure yourself? I'm currently doing this with an eSATA external drive. on the eSATA drive, partitions outside the TrueCrypt container aren't necessary.
–
bwallSep 14 '11 at 13:19

it came with an enclosure it uses USB 2.0.
–
frikadelenSep 14 '11 at 13:22

4 Answers
4

This is possible using an eSATA external drive and TrueCrypt, but not a USB drive, in my experience.

If you have the option of using eSATA, just back up your data, delete all the partitions, and choose "Encrypt a non-system partition/drive" in TrueCrypt, then select the drive.

TrueCrypt will not encrypt the entire drive on a USB drive under Windows. I am doing exactly what you suggest, and bought an eSATA enclosure to replace the USB one I had been using, because of this limitation.

Yes, you can put files on a 'raw' disk. Well, sort of. You cannot ask Windows to put them there. But you can use other software to directly manage that space. Like TrueCrypt. TrueCrypt will happily use that raw space as a container and create its own idea of a file system (that Windows doesn't understand). Then you can drag & drop or otherwise use that file system via the virtual drive letter that TrueCrypt assigns. It's far easier than it sounds. Just do it and you will see.

Why not just encrypt the single partition? Since it takes up the entire volume, it's functionally identical to encrypting the entire disk except that the partition table itself won't be encrypted ... and that makes no difference at all.

I use an external hard drive encrypted with truecrypt. On the volume screen you can select the hard disk device itself and not have any partitions on it. You will need to remove the partitions from the disk before beginning the encryption process.

If the partition table is totally erased on a USB or eSATA drive (say with a dd if=/dev/urandom of=/dev/ bs=1M count=1) it is possible to make a drive appear securely erased.
Truecrypt and Windows will still reference the device as partition1. It is a raw and unreadable.

I actually created a VM, wiped the hard drive and mounted a truecrypt protected USB stick as outlined above. Using standard analysis tools such as gparted or fdisk shows the disk as unallocated, identical to a hard drive that has been wiped with DBAN. Visa versa, a disk that has been wiped with DBAN shows up as having a single raw primary partition. I believe the confusion on this is due to how Windows inherently treats block devices. Where Linux requires manually creating a partition Windows assumes that no partition table equals a single partition filling the entire device.

If i do with disk part: select Disk 1, select partition 1, delete partition... yes the drive no longer has partitions... but it appears with a black box around it in windows disk management and you can't put anything on it... it is 'raw' then.
–
frikadelenSep 14 '11 at 13:14

Yes - at that point you should be able to create a an encrypted volume out of the whole disk.
–
Tim BrighamSep 14 '11 at 13:17

but you can't put files on a 'raw' disk that has neither a fat or ntfs volume on it...
–
frikadelenSep 14 '11 at 13:19